Even a monkey can fall out of a tree.

Short version:

1. Bring your A Game
2. Don’t hold back
3. Be prepared
4. Know what you claim to know
5. Fight complacency

The longer version (and the version you should read):

First, here’s what I mean about being outdone, outmaneuvered, or plain outright embarrassed in DFIR: someone or something kicks your butt in the arena. The ‘arena’ could be in court, or mitigating a breach, or just working a case where nothing is going right for you.  Sometimes the arena feels like a circus. The last place you want to be in that kind of circus is the center of attention wearing clown shoes with a red nose. Trust me. I’ve been there more than once (I will talk about my experiences in tomorrow’s podcast). 

Bring Your A Game

If you don’t approach every scenario with the intention to do the best you can do, then you have a some chance of screwing it up. Maybe it will work out like it has for the past 50 similar situations, but I promise that the day is near where you will screw up just because you didn't do your best.  You must bring your A Game each and every time, regardless of how small the task or monumental the objective.

I will give you one mindset shift that will help you: Never accept when someone tells you “good luck” and never wish someone “good luck”. Luck can beat most anything, but luck is simply chance.

Here is a better way to look at the “good luck” saying. Rather than good luck, simply ‘do your best’.  If a team member is about to tackle a problem, especially a potentially public problem, recommending your team member to do their best is a better encouragement of wishing them luck. For a good example of this theory, check out the Japanese. They don’t wish luck.  It is “Gambatte!” which translates to ‘do your best’.  Both of my kids were raised with “Gambate!” their entire lives as their mother is Japanese. I have never seen either depend on good luck to win a sports match, compete in a music recital, or get into the colleges they wanted. Live by doing your best, not hoping for the best will happen by luck.

Do your best each time you approach a scene, scenario, situation, incident, task, computer, malicious file, or meeting, focus as if the only thing that matters is the task at hand, because that is all that matters. Never ever trick yourself into thinking that ‘this time’ is just like the ‘last 100 times’.  Every time is the first time, and it is the only time that matters.

I’ll bring this around to the military, to where in Marine Corps Boot Camp, a drill instructor asked me (asked is polite for how it came out of his mouth), how many rounds are fired for rifle qualification. As he repeated his question in case I didn't hear it the first 10 times, I tried to count how many rounds at each line of fire, and of course, I got the answer wrong. 

The answer, which sticks with me today, which I have repeated in anything that I have taught for decades since, is that there is exactly one round fired in any firearms qualification. The round fired prior doesn’t count. The round to fire after the current round doesn’t count. The only one that counts is the round you are firing. Same with any task in DFIR. It doesn’t matter what you have done before, how many times you have done it, or how many more times you will do it. The only thing that matters is this time.

One round. One chance. One opportunity. Focus on the current thing as if it is the only thing, because it is.

Don’t Hold Back

If you get really good at what you do, you may tone down your efforts a little just because you only need to do 75% to solve the problem (whatever the problem is). Do not do that. Go at it full speed and full energy as if you don’t know how your task will turn out, because in reality, you don’t know how it will turn out regardless of how much effort you put into it.

Holding back in DFIR work means that you could be going all out to solve a problem, but you figure, “nahh, I’ll just run the so-and-so application over the drive and be done with it”, or “I beat that opposing expert in court last time, so I’m fine to go up against him tomorrow.”  When you hold back, your opponent, whether it is a person or data, will eventually take advantage of you holding back.

Be Prepared

This is an easy one, but something we sort to slack off the more we do the same thing over and over. In everything you do, be prepared. Think back to how many times you had to do something and assumed that you have the tools in your toolbox, or the dongle in your Go-bag, or that your software license was current, and when you needed to use it, you couldn't. When you run into a situation where this sort of thing happens, it is solely because you were not prepared.

An uncomfortable related preparation issue is that of your teammates. If you must rely on someone else to do their job in order for you to do your job, be sure that they do their job. The buck stops with you, and blaming someone else is a bucket that holds no water. Don’t assume that a teammate (co-worker or whomever) will be prepared to the extent that you need them to be prepared. I have too many examples of this happening to me, where entire operations had to be cancelled because someone forgot something that they were told to bring. Double-check. The end result will reflect on you, regardless if a teammate is blame (which, if it is your gig, it is your responsibility to make sure).

The two-prong point is that you need to be personally prepared and ensure that if you depend on any other person to do your job, that you supervise them to do their job. Yes. Technically you could be ‘supervising’ someone, but more specifically, you are making sure that you can do your job.

Know what you claim to know

If you are reading this blog post, especially to this point, you have dug deep in the world of DFIR. My assumption is that you know more about the DFIR field than the average computer user. That means you know far more than simply ‘what is a computer’.  I would bet that if were thrown into court tomorrow and quizzed, the court would qualify you as an expert in some aspect of the DFIR world that you know. The reason…is because you know more than the average bear. That makes you an expert.

Here’s the thing to remember: being an expert, or someone considering you to be an expert, or even a judge qualifying you as an expert does not mean you know everything. Quite the opposite. It means you know more than most people, but you are also acutely aware that you are learning all the time.

Those who have been doing this work for more than a few days will never say that we know everything, or that we know everything about even one small thing. There are too many variables, too many moving parts, and too many unknowns to claim to know it all or be a know-it-all.

But if you claim to know something, you better know it, because one day, you will be called upon to prove it. You won’t have time to prepared. You won’t have time to learn it. You won’t have time to practice. It will be game-on at that moment.

Fight complacency

The better you get at what you do, the better you get at what you do. Which means, the better you hone a skill, the more honed that skill naturally becomes. Realize that this is a good thing, but comes at a price. The price is complacency. Complacency will sink your career and skills faster than a long-tailed cat running through a room full of rocking chairs. In some jobs, your life may depend on not being complacent.

<Back to my wife> I have had the fortune of "luck" by working hard to get good results. At times, I would brag about some of the things that I have done and my wife would always give me a Japanese proverb of “Even a monkey can fall from a tree”.  Until I was t-boned in a patrol car did I really take this to heart. I’ll talk about the wreck in my podcast, but suffice to say that I consider myself to be a monkey that is trying not to fall out of tree, regardless of how good I am at climbing trees.

The point

Everything you do needs to be done with pinpoint focus as if the task at hand is more important than it appears. I am not suggesting to stress yourself out when you have to image a drive or run AV against a media, but that when you do the little things with focus, the bigger things will be more easily handled.

When I am hired for peer-review reports to find flaws, I can instantly pick out where the analyst was lazy, or complacent, or is relying on past experience and luck rather than focusing on the work or even focusing on the report. Any time I hear someone say, “I’ll just knock out a quick write-up”, I cringe. If it relates to my case, my responsibility, my name, my reputation, or any aspect of my work, I stop-drop-and-roll with a clear “That report better be your best work or don’t give it to me.”

A warning

You will get caught off-guard at some point. Unprepared. Surprised. And you’ll have to sit in the hot seat until it is over. BUT! If you at least do the five things in this post, the chances that you will be in that hot seat will be less and when it happens, it won’t be so bad, because you will know that you did your best.

Gambatte!